ETSI EN 303 645 – Consumer IoT Security
1. Why EN 303 645 matters now
ETSI EN 303 645 is the globally-recognized baseline standard for the security of consumer-facing "Internet of Things" (IoT) devices. It establishes a practical, risk-based set of 13 high-level security provisions and additional data protection provisions that manufacturers can implement to protect their products against common cybersecurity threats.
While it began as a European standard, its straightforward, outcome-focused approach has led to its adoption as the foundation for IoT security regulations and certification schemes worldwide, including in the UK, Singapore, and Australia. For companies selling consumer IoT products globally, complying with EN 303 645 is the single most effective step towards meeting multiple international requirements.
- ETSI EN 303 645 (V3.1.3): Download from ETSI website. The core standard defining the security and data protection provisions. This is the legally significant text.
- ETSI TS 103 701: Conformance Assessment Specification. This document defines the mandatory test cases for verifying that each provision in the standard has been met. It is used by test labs for conformity assessment.
- ETSI TR 103 621: Implementation Guide. This technical report provides non-exhaustive examples and guidance for implementing the standard's provisions. It is a helpful resource but not legally binding.
Timeline of Key Dates
| Date | Event | Reference |
|---|---|---|
| 2020-06-12 | First version (V2.1.1) published. | ETSI EN 303 645 V2.1.1 |
| 2024-09-11 | Current version (V3.1.3) adopted by ETSI. | EN 303 645 Foreword |
| 2024-12-31 | Latest date for announcement of the EN at national level. | EN 303 645 Foreword |
| 2025-06-30 | Date of publication for new National Standards endorsing the EN, and withdrawal of any conflicting national standards. | EN 303 645 Foreword |
| 2025-08-01 | RED Delegated Act becomes mandatory; compliance with a future harmonised version of EN 303 645 will likely provide presumption of conformity. | RED Delegated Act |
Relationship to EU law
| Law | How it interacts with EN 303 645 |
|---|---|
| Radio Equipment Directive (RED) | EN 303 645 is the primary candidate to become the harmonised standard for demonstrating compliance with the cybersecurity requirements of the RED Delegated Act (EU) 2022/30. Manufacturers who follow this standard will likely gain a "presumption of conformity" with the RED's essential requirements for network protection, privacy, and fraud prevention when the deadline arrives on 1 August 2025. |
| Cyber-Resilience Act (CRA) | The CRA's essential security requirements in Annex I are heavily based on the principles in EN 303 645. It is expected that a future version of this standard (or a new standard based on it) will become a harmonised standard for the CRA. For manufacturers of "Default" category consumer products, compliance with EN 303 645 is an excellent way to prepare for future CRA obligations. |
2. Scope
The standard applies to consumer IoT devices, which are defined as network-connected devices intended for consumer use. This includes devices that are directly connected to the internet or to a home network. The scope is broad and technology-neutral, focusing on the security outcomes rather than specific implementations (EN 303 645 § 1).
The standard also explicitly includes the associated services required for the device's functionality, such as mobile applications and cloud back-end services that are designed and developed by or under the responsibility of the manufacturer.
A non-exhaustive list of in-scope products includes (EN 303 645 § 1):
- Connected children's toys and baby monitors
- Connected smoke detectors, door locks, and window sensors
- IoT gateways, base stations, and hubs
- Smart cameras, smart speakers, and smart TVs
- Wearable health and fitness trackers
- Connected home automation and alarm systems
- Connected appliances (e.g., washing machines, refrigerators)
- Smart home assistants
The standard is intended to establish a baseline level of security. It does not cover more advanced attacks that are prolonged, sophisticated, or require sustained physical access to the device.
3. Requirements & How to Implement Them
The standard's security obligations are detailed in Section 5 (Cyber security provisions) and Section 6 (Data protection provisions). These provisions are outcome-focused, giving manufacturers the flexibility to choose the most appropriate technical solutions for their products.
The following tables translate those provisions into a practical engineering checklist. Each row links to the relevant implementation guide in this handbook, providing a clear, actionable path from the standard's text to the code and configuration required for compliance.
3.1 Cybersecurity Provisions (Section 5)
| Obligation | Engineering Tasks | Implementation Guides |
|---|---|---|
| No universal default passwords EN 303 645 § 5.1-1 TS 103 701 § 5.1 TR 103 621 § 6.1 | All device passwords must be unique per device or defined by the user. Brute-force attack mitigations must be implemented. | Unique Device Identity Secure Configuration |
| Implement vulnerability disclosure policy EN 303 645 § 5.2-1 TS 103 701 § 5.2 TR 103 621 § 6.6 | Make a public vulnerability disclosure policy available and act on disclosed vulnerabilities in a timely manner. | Vulnerability Disclosure |
| Keep software updated EN 303 645 § 5.3-2 TS 103 701 § 5.3 TR 103 621 § 6.10 | Provide a secure update mechanism for all non-immutable software components. The defined support period must be published. | Secure OTA Updates Patch Cadence |
| Securely store sensitive security parameters EN 303 645 § 5.4-1 TS 103 701 § 5.4 TR 103 621 § 6.25 | Store cryptographic keys and other sensitive parameters securely, using hardware-backed storage where appropriate. Do not hard-code credentials in software. | Key Provisioning & Storage |
| Communicate securely EN 303 645 § 5.5-1 TS 103 701 § 5.5 TR 103 621 § 6.29 | Use best practice cryptography to protect data in transit. Authenticate all external network connections where appropriate. | Key Provisioning & Storage |
| Minimize exposed attack surfaces EN 303 645 § 5.6-1 TS 103 701 § 5.6 TR 103 621 § 6.37 | Disable unused logical and physical interfaces. Run processes with the least privilege necessary. | Secure Configuration & Hardening |
| Ensure software integrity EN 303 645 § 5.7-1 TS 103 701 § 5.7 TR 103 621 § 6.46 | Use a secure boot mechanism to verify the integrity of the device's software. | Secure Boot |
| Ensure personal data is secure EN 303 645 § 5.8-2 TS 103 701 § 5.8 TR 103 621 § 6.49 | Protect the confidentiality of any sensitive personal data transmitted from the device to associated services using best practice cryptography. | Data Privacy & Secure Deletion |
| Make systems resilient to outages EN 303 645 § 5.9-2 TS 103 701 § 5.9 TR 103 621 § 6.52 | Ensure the device remains functional locally during network outages and reconnects in an orderly fashion after power restoration. | Device Lifecycle Management |
| Examine system telemetry data EN 303 645 § 5.10-1 TS 103 701 § 5.10 TR 103 621 § 6.54 | If telemetry data is collected, it should be examined for security anomalies. | Security Logging & Monitoring |
| Make it easy for users to delete user data EN 303 645 § 5.11-1 TS 103 701 § 5.11 TR 103 621 § 6.55 | Provide a simple mechanism for users to erase all their personal data from the device and any associated services. | Data Privacy & Secure Deletion |
| Make installation and maintenance easy EN 303 645 § 5.12-1 TS 103 701 § 5.12 TR 103 621 § 6.59 | Provide a simple, secure-by-default setup process and clear guidance for secure configuration. | User Documentation Secure Configuration & Hardening |
| Validate input data EN 303 645 § 5.13-1A TS 103 701 § 5.13 TR 103 621 § 6.62 | Validate data received from user interfaces and network interfaces to prevent system manipulation or failure. | CI/CD Hardening |
3.2 Data Protection Provisions (Section 6)
| Obligation | Engineering Tasks | Implementation Guides |
|---|---|---|
| Transparency of personal data processing EN 303 645 § 6-1 TS 103 701 § 5.14.1 TR 103 621 § 7.1 | Provide clear information about what personal data is processed, for what purpose, by whom, and for how long. | Data Privacy & Secure Deletion |
| Valid consent for data processing EN 303 645 § 6-2 TS 103 701 § 5.14.2 TR 103 621 § 7.2 | Provide a means to acquire, store, and withdraw user consent for personal data processing. | Data Privacy & Secure Deletion |
| Data minimization EN 303 645 § 6-4 TS 103 701 § 5.14.4 TR 103 621 § 7.4 | Limit data collection and processing to only what is necessary for the stated purpose. Use aggregation and anonymization techniques where possible. | Data Privacy & Secure Deletion |
4. Assessment & Conformance
Compliance with EN 303 645 is voluntary. However, it serves as the primary technical specification for several mandatory regulatory schemes. Conformance provides a presumption of conformity with those regulations, simplifying the path to market access.
The standard itself defines the security outcomes, while a separate specification, ETSI TS 103 701, provides the corresponding test cases for third-party assessment. A manufacturer can submit their product to a testing laboratory, which will perform the tests defined in TS 103 701 to verify that each provision in EN 303 645 has been implemented correctly.
This assessment can be used to demonstrate compliance with regulations such as:
- EU Radio Equipment Directive (RED): EN 303 645 is expected to be the harmonised standard used to show compliance with the RED's cybersecurity articles.
- UK Product Security and Telecommunications Infrastructure (PSTI) regime: The UK's regulation is directly based on EN 303 645.
- Other international schemes: Similar regulations in Singapore, Finland, and Australia are also based on this standard.